The FBI raided the Florida headquarters of Shenzhen, China based PAX, a retailer of point-of-sale devices. This was amidst accusations that the point-of-sale (PoS) endpoint devices sold by PAX have backdoors that allow for malware to be remotely executed. Brian Krebs, the long-time computer security investigative reporter behind KrebsOnSecurity, wrote that confidential sources claimed network traffic on the PoS devices supplied by PAX contained indicators of malicious traffic, including irregular packet sizes that did not match expected traffic or updates. According to the source, it appeared that the terminals were being used as both a malware dropper for malicious files and as a command and control (C2) server. According to Krebs in the article, several sources also claimed two major financial infrastructure companies in the USA and UK were actively replacing these devices. PAX reportedly has more than 60 million PoS terminals installed in 120 countries.
PoS terminals are often the subject of attacks by financially motivated criminals. Both malicious traffic and the use of a PoS terminal as a C2 server should be detectable by perimeter security solutions. Security teams should be able to identify such traffic via the use of Intrusion Detection Systems (IDS) or packet capture methods. Organizations are advised to focus on perimeter security, network traffic, and post-exploitation detection strategies that create a defense-in-depth approach for today’s quickly moving threat environment.